Recently I was in a hotel needing to make a payment, there was no phone signal so I could not receive my Two Factor Auth token. Luckily for me Paypal’s 2FA took less than five minutes to bypass.

Any suggestion that PayPal’s 2FA security is flawed is definitely a serious concern, so how did he do it?

Well, if you don’t have your mobile easily to hand to receive your 2FA code from PayPal they’ll give you the option of answering your special security question instead.

However, Hoggard discovered that meddling with the post data sent by his browser to remove securityQuestion0 and securityQuestion1 would trick PayPal into believing he had verified his account access.

Hoggard told PayPal about the vulnerability at the start of this month, and the company has now fixed the flaw and rewarded the researcher with a bug bounty.

Of course, attackers would not have been able to exploit this flaw unless they already knew a user’s password - but we know all too well that many users either choose weak passwords or reuse the same password on multiple sites. When built properly, two-factor authentication can make it harder for attackers to break into your account in these situations.

It’s great when websites offer their users two-factor and two-step verification, but they also need to ensure that they have implemented the feature securely.

About the author, Graham Cluley

Graham Cluley is a veteran of the anti-virus industry having worked for a number of security companies since the early 1990s when he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows. Now an independent security analyst, he regularly makes media appearances and is an international public speaker on the topic of computer security, hackers, and online privacy.

7 Responses

Added to which, PayPal’s 2FA didn’t work at all on the mobile app last I checked, so the choice was to disable it and rely on a password only, or only use a desktop/laptop to send payments. I guess the board at PayPal/eBay view security as unworthy of serious investment, since they have a near-monopoly.